Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Parameter Tampering Issue
See original GitHub issueDescription
Site: https://layer5.io/company/contact Through this bug, a user can change the “Scope of Question” which is not given on the form and it is not expected from someone to ask question which is not related to “Scope of Question” given on the contact form. The changed Scope of Question also reflects in the auto email sent to the user after the form is submitted.
Expected Behavior
Forwarded Request:
POST /gguommoyd14634ur9xs7l37widuoa7e9 HTTP/2
Host: hook.us1.make.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 173
Origin: https://layer5.io
Dnt: 1
Referer: https://layer5.io/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
{"memberFormOne":{"subscribed":false,"firstname":"test","lastname":"test","email":"yashsancheti24@gmail.com","subject":"test","message":"test","scope":"test","form":"contact"}}
Maybe using some encrypted text in scope can solve this issue.
Screenshots
Environment:
- Host OS: Windows 11
- Browser: Google Chrome
Checklists:
- Disallow strings to scope which are not allowed.
- Apply rate limit on number of times the form is submitted.
- Check if a user can change “subscribed”:false to “subscribed”:true to subscribe “email”:“xyz”.
- Resolve #3291 which is on this form as well.
Contributor Resources and Handbook
The layer5.io website uses Gatsby, React, and GitHub Pages. Site content is found under the master branch.
- 📚 See contributing instructions
- 🎨 Wireframes and designs for Layer5 site in Figma.
- 🙋🏾🙋🏼 Questions: Discussion Forum and Community Slack
Issue Analytics
- State:
- Created a year ago
- Comments:13 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thank you @leecalcote for checking out this issue! I will edit the post soon and list the cases which needs to be covered.
Thank you for filing this, @Onyx2406. While the fix will ultimately be done in a separate system, this is something that you can participate in seeing to resolution. And it’s certainly something that we appreciate you engaging with us on. This is helpful. Soon, hopefully, there will word on readiness of testing of a solution that has been implemented and confirmation of the details of that solution (i.e. the rules / checks / protections that have been put in place) and your verification of it.
@Onyx2406, to help advance a solution, if you were to list the cases that need to be covered as a checklist, that would be helpful. Example:
<alphanumberic+more-alphanumeric@domain.tld>